Mko Posted August 4, 2012 Share Posted August 4, 2012 Hey all, I have the following code: $db2 = new mysqli('localhost', 'root', '', 'vbulletin'); $db2->connect(); include_once("./vb_plugin.php"); $query = "UPDATE players SET mgroup = '{$vbulletin->GPC['user']['usergroupid']}', mgroup_others='{$vbulletin->GPC['user']['membergroupids']}', name='{$vbulletin->GPC['user']['username']}'"; if (!empty($vbulletin->GPC['password'])){ $salt = fetch_user_salt_new(); $hash = fetch_user_hash_new(); $query .= ", phash='{$hash}', psalt='" .$salt. "'"; } $groups = ""; if (is_array($vbulletin->GPC['user']['membergroupids'])) { foreach ($vbulletin->GPC['user']['membergroupids'] AS $key => $val){ $groups .= "{$val},"; } } $query .= ", mgroup_others='{$groups}'"; $query .= " WHERE id = {$vbulletin->GPC['userid']}"; $db2->query($query); $db2->close(); I'm wondering: a) If anyone can help me with making this code's queries into prepared statements b) If prepared statements can't be used, is this code vulnerable at all? Thanks for any help, Mark Link to comment https://forums.phpfreaks.com/topic/266676-converting-some-php-code-into-mysqli-prepared-statements/ Share on other sites More sharing options...
cpd Posted August 4, 2012 Share Posted August 4, 2012 We technically can't determine whether or not its safe as the $vbuletin object may have performed some sort of process on the data before using it in the query. However, taking your skill level into account I'd assume its not safe. You need to firstly read up on PDO prepared statements and how to use them then relate it to your current code and implement it. Typically you'll prepare a statement using PDO::prepare($sql); then bind the parameters to the statement using PDOStatement::bindParam();. When you read up on PDO it'll make more sense. Link to comment https://forums.phpfreaks.com/topic/266676-converting-some-php-code-into-mysqli-prepared-statements/#findComment-1366783 Share on other sites More sharing options...
Mko Posted August 4, 2012 Author Share Posted August 4, 2012 We technically can't determine whether or not its safe as the $vbuletin object may have performed some sort of process on the data before using it in the query. However, taking your skill level into account I'd assume its not safe. You need to firstly read up on PDO prepared statements and how to use them then relate it to your current code and implement it. Typically you'll prepare a statement using PDO::prepare($sql); then bind the parameters to the statement using PDOStatement::bindParam();. When you read up on PDO it'll make more sense. What I really need to do is be able to append new query parts to the existing query at the beginning using Prepared Statements. Link to comment https://forums.phpfreaks.com/topic/266676-converting-some-php-code-into-mysqli-prepared-statements/#findComment-1366784 Share on other sites More sharing options...
cpd Posted August 5, 2012 Share Posted August 5, 2012 Within the select/where? Just keep appending data to a string, then prepare the string, bind parameters and execute... Link to comment https://forums.phpfreaks.com/topic/266676-converting-some-php-code-into-mysqli-prepared-statements/#findComment-1366922 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.